emdash 0.6.0 → 1.0.0

package/src/astro/integration/routes.ts

@@ -46,6 +46,12 @@ export function injectCoreRoutes(injectRoute: InjectRoute): void {
 		entrypoint: resolveRoute("api/manifest.ts"),
 	});
 
+	// Auth mode endpoint (public — used by the login page to pick the right UI)
+	injectRoute({
+		pattern: "/_emdash/api/auth/mode",
+		entrypoint: resolveRoute("api/auth/mode.ts"),
+	});
+
 	injectRoute({
 		pattern: "/_emdash/api/dashboard",
 		entrypoint: resolveRoute("api/dashboard.ts"),
@@ -747,6 +753,28 @@ export function injectMcpRoute(injectRoute: InjectRoute): void {
 	});
 }
 
+/**
+ * Injects routes from pluggable auth providers.
+ *
+ * Each provider declares the routes it needs in its `AuthProviderDescriptor.routes` array.
+ * Routes are injected at build time so Vite can bundle them.
+ */
+export function injectAuthProviderRoutes(
+	injectRoute: InjectRoute,
+	providers: Array<{ routes?: Array<{ pattern: string; entrypoint: string }> }>,
+): void {
+	for (const provider of providers) {
+		if (provider.routes) {
+			for (const route of provider.routes) {
+				injectRoute({
+					pattern: route.pattern,
+					entrypoint: route.entrypoint,
+				});
+			}
+		}
+	}
+}
+
 /**
  * Injects passkey/oauth/magic-link auth routes.
  * Only used when NOT using external auth.

package/src/astro/integration/runtime.ts

@@ -7,7 +7,7 @@
  * DO NOT import Node.js-only modules here (fs, path, module, etc.)
  */
 
-import type { AuthDescriptor } from "../../auth/types.js";
+import type { AuthDescriptor, AuthProviderDescriptor } from "../../auth/types.js";
 import type { DatabaseDescriptor } from "../../db/adapters.js";
 import type { MediaProviderDescriptor } from "../../media/types.js";
 import type { ResolvedPlugin } from "../../plugins/types.js";
@@ -222,6 +222,24 @@ export interface EmDashConfig {
 	 */
 	auth?: AuthDescriptor;
 
+	/**
+	 * Pluggable auth providers (login methods on the login page).
+	 *
+	 * Auth providers appear as options alongside passkey on the login page
+	 * and setup wizard. Any provider can be used to create the initial
+	 * admin account. Passkey is built-in; providers listed here are additive.
+	 *
+	 * @example
+	 * ```ts
+	 * import { atproto } from "@emdash-cms/auth-atproto";
+	 *
+	 * emdash({
+	 *   authProviders: [atproto()],
+	 * })
+	 * ```
+	 */
+	authProviders?: AuthProviderDescriptor[];
+
 	/**
 	 * MCP (Model Context Protocol) server endpoint.
 	 *
@@ -284,6 +302,32 @@ export interface EmDashConfig {
 	 */
 	siteUrl?: string;
 
+	/**
+	 * Headers to trust for client IP resolution when running behind a reverse
+	 * proxy. The first header in this list that is present on the request
+	 * wins. Applies to rate limiting for auth endpoints and comment
+	 * submission.
+	 *
+	 * Common values:
+	 * - `x-real-ip` — nginx, Caddy, Traefik
+	 * - `fly-client-ip` — Fly.io
+	 * - `x-forwarded-for` — generic (first entry is used)
+	 *
+	 * Only set this when you **control the reverse proxy**. Untrusted
+	 * clients can set any header they like; trusting headers from an open
+	 * network is an IP-spoofing vulnerability that defeats rate limiting.
+	 *
+	 * On Cloudflare the `cf` object on the request is used automatically —
+	 * you normally don't need to set this. Leave unset (or empty) to
+	 * preserve the default: IP is resolved only when the request came
+	 * through Cloudflare's edge.
+	 *
+	 * Falls back to `EMDASH_TRUSTED_PROXY_HEADERS` env var (comma-separated)
+	 * when this option is not set, so operators can configure at deploy
+	 * time without touching the Astro config.
+	 */
+	trustedProxyHeaders?: string[];
+
 	/**
 	 * Enable playground mode for ephemeral "try EmDash" sites.
 	 *
@@ -378,13 +422,41 @@ export interface EmDashConfig {
 				 * Additional Noto Sans script families to include.
 				 *
 				 * Available scripts: arabic, armenian, bengali, chinese-simplified,
-				 * chinese-traditional, chinese-hongkong, devanagari, ethiopic,
+				 * chinese-traditional, chinese-hongkong, devanagari, ethiopic, farsi,
 				 * georgian, gujarati, gurmukhi, hebrew, japanese, kannada, khmer,
 				 * korean, lao, malayalam, myanmar, oriya, sinhala, tamil, telugu,
 				 * thai, tibetan.
 				 */
 				scripts?: string[];
 		  };
+
+	/**
+	 * Admin UI branding (white-labeling).
+	 *
+	 * Overrides the default EmDash logo and name in the admin panel.
+	 * Use this to white-label the CMS for agency or enterprise deployments.
+	 * These settings are separate from the public site settings (title, logo,
+	 * favicon) which remain available for SEO and front-end use.
+	 *
+	 * @example
+	 * ```ts
+	 * emdash({
+	 *   admin: {
+	 *     logo: "/images/agency-logo.webp",
+	 *     siteName: "AgencyX CMS",
+	 *     favicon: "/favicon.ico",
+	 *   },
+	 * })
+	 * ```
+	 */
+	admin?: {
+		/** URL or path to a custom logo image for the admin UI (login page, sidebar). */
+		logo?: string;
+		/** Custom name displayed in the admin sidebar and browser tab. */
+		siteName?: string;
+		/** URL or path to a custom favicon for the admin panel. */
+		favicon?: string;
+	};
 }
 
 /**

package/src/astro/integration/virtual-modules.ts

@@ -10,6 +10,7 @@ import { readFileSync } from "node:fs";
 import { createRequire } from "node:module";
 import { resolve } from "node:path";
 
+import type { AuthProviderDescriptor } from "../../auth/types.js";
 import type { MediaProviderDescriptor } from "../../media/types.js";
 import { defaultSeed } from "../../seed/default.js";
 import type { PluginDescriptor } from "./runtime.js";
@@ -47,6 +48,9 @@ export const RESOLVED_VIRTUAL_SANDBOXED_PLUGINS_ID = "\0" + VIRTUAL_SANDBOXED_PL
 export const VIRTUAL_AUTH_ID = "virtual:emdash/auth";
 export const RESOLVED_VIRTUAL_AUTH_ID = "\0" + VIRTUAL_AUTH_ID;
 
+export const VIRTUAL_AUTH_PROVIDERS_ID = "virtual:emdash/auth-providers";
+export const RESOLVED_VIRTUAL_AUTH_PROVIDERS_ID = "\0" + VIRTUAL_AUTH_PROVIDERS_ID;
+
 export const VIRTUAL_MEDIA_PROVIDERS_ID = "virtual:emdash/media-providers";
 export const RESOLVED_VIRTUAL_MEDIA_PROVIDERS_ID = "\0" + VIRTUAL_MEDIA_PROVIDERS_ID;
 
@@ -135,6 +139,43 @@ export const authenticate = _authenticate;
 `;
 }
 
+/**
+ * Generates the auth providers module.
+ *
+ * Statically imports each auth provider's `adminEntry` module and exports
+ * a registry keyed by provider ID. The admin UI uses this to render
+ * provider-specific login buttons/forms and setup steps.
+ *
+ * Follows the same pattern as `generateAdminRegistryModule()` for plugins.
+ */
+export function generateAuthProvidersModule(descriptors: AuthProviderDescriptor[]): string {
+	const withAdmin = descriptors.filter((d) => d.adminEntry);
+
+	if (withAdmin.length === 0) {
+		return `export const authProviders = {};`;
+	}
+
+	const imports: string[] = [];
+	const entries: string[] = [];
+
+	withAdmin.forEach((descriptor, index) => {
+		const varName = `authProvider${index}`;
+		imports.push(`import * as ${varName} from ${JSON.stringify(descriptor.adminEntry)};`);
+		entries.push(
+			`  ${JSON.stringify(descriptor.id)}: { ...${varName}, id: ${JSON.stringify(descriptor.id)}, label: ${JSON.stringify(descriptor.label)} },`,
+		);
+	});
+
+	return `
+// Auto-generated auth provider registry
+${imports.join("\n")}
+
+export const authProviders = {
+${entries.join("\n")}
+};
+`;
+}
+
 /**
  * Generates the plugins module.
  * Imports and instantiates all plugins at runtime.

package/src/astro/integration/vite-config.ts

@@ -7,7 +7,7 @@
 
 import { existsSync } from "node:fs";
 import { createRequire } from "node:module";
-import { dirname, resolve } from "node:path";
+import { dirname, isAbsolute, relative, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 
 import type { AstroConfig } from "astro";
@@ -32,6 +32,8 @@ import {
 	RESOLVED_VIRTUAL_SANDBOXED_PLUGINS_ID,
 	VIRTUAL_AUTH_ID,
 	RESOLVED_VIRTUAL_AUTH_ID,
+	VIRTUAL_AUTH_PROVIDERS_ID,
+	RESOLVED_VIRTUAL_AUTH_PROVIDERS_ID,
 	VIRTUAL_MEDIA_PROVIDERS_ID,
 	RESOLVED_VIRTUAL_MEDIA_PROVIDERS_ID,
 	VIRTUAL_BLOCK_COMPONENTS_ID,
@@ -46,6 +48,7 @@ import {
 	generateDialectModule,
 	generateStorageModule,
 	generateAuthModule,
+	generateAuthProvidersModule,
 	generatePluginsModule,
 	generateAdminRegistryModule,
 	generateSandboxRunnerModule,
@@ -104,24 +107,34 @@ function resolveAdminDist(): string {
 	return dirname(adminPath);
 }
 
+/**
+ * Check whether child is inside parent without relying on simple prefix checks.
+ */
+function isInside(parent: string, child: string): boolean {
+	const relativePath = relative(parent, child);
+	return relativePath === "" || (!relativePath.startsWith("..") && !isAbsolute(relativePath));
+}
+
 /**
  * Resolve path to the admin package source directory.
- * In dev mode, we alias @emdash-cms/admin to the source so Vite processes it
- * directly — giving instant HMR instead of requiring a rebuild + restart.
+ * In dev mode inside this repo, we alias @emdash-cms/admin to the source so
+ * Vite processes it directly — giving instant HMR instead of requiring a
+ * rebuild + restart. External apps should use the built package surface.
  */
-function resolveAdminSource(): string | undefined {
+function resolveAdminSource(projectRoot: string): string | undefined {
 	const require = createRequire(import.meta.url);
 	const adminPath = require.resolve("@emdash-cms/admin");
 	// dist/index.js -> go up to package root, then into src/
 	const packageRoot = resolve(dirname(adminPath), "..");
+	const repoRoot = resolve(packageRoot, "..", "..");
 	const srcEntry = resolve(packageRoot, "src", "index.ts");
 
 	try {
-		if (existsSync(srcEntry)) {
+		if (existsSync(srcEntry) && isInside(repoRoot, projectRoot)) {
 			return resolve(packageRoot, "src");
 		}
 	} catch {
-		// Not in monorepo — fall back to dist
+		// Not in local repo — fall back to dist
 	}
 	return undefined;
 }
@@ -170,6 +183,9 @@ export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 			if (id === VIRTUAL_AUTH_ID) {
 				return RESOLVED_VIRTUAL_AUTH_ID;
 			}
+			if (id === VIRTUAL_AUTH_PROVIDERS_ID) {
+				return RESOLVED_VIRTUAL_AUTH_PROVIDERS_ID;
+			}
 			if (id === VIRTUAL_MEDIA_PROVIDERS_ID) {
 				return RESOLVED_VIRTUAL_MEDIA_PROVIDERS_ID;
 			}
@@ -228,6 +244,10 @@ export function createVirtualModulesPlugin(options: VitePluginOptions): Plugin {
 				}
 				return generateAuthModule(authDescriptor.entrypoint);
 			}
+			// Generate auth providers module (pluggable login methods)
+			if (id === RESOLVED_VIRTUAL_AUTH_PROVIDERS_ID) {
+				return generateAuthProvidersModule(resolvedConfig.authProviders ?? []);
+			}
 			// Generate media providers module
 			if (id === RESOLVED_VIRTUAL_MEDIA_PROVIDERS_ID) {
 				return generateMediaProvidersModule(resolvedConfig.mediaProviders ?? []);
@@ -281,12 +301,9 @@ export function createViteConfig(
 	const adminDistPath = resolveAdminDist();
 	const cloudflare = isCloudflareAdapter(options.astroConfig);
 	const isDev = command === "dev";
+	const projectRoot = fileURLToPath(options.astroConfig.root);
 
-	// In dev mode within the monorepo, alias JS imports to source for instant HMR.
-	// CSS always comes from dist/ (pre-compiled by @tailwindcss/cli) since Tailwind's
-	// Vite plugin has native deps that don't bundle well. Run `pnpm dev` in packages/admin
-	// alongside the demo server to get CSS watch-rebuilds too.
-	const adminSourcePath = isDev ? resolveAdminSource() : undefined;
+	const adminSourcePath = isDev ? resolveAdminSource(projectRoot) : undefined;
 	const useSource = adminSourcePath !== undefined;
 
 	return {
@@ -308,6 +325,20 @@ export function createViteConfig(
 			alias: [
 				{ find: "@emdash-cms/admin/styles.css", replacement: resolve(adminDistPath, "styles.css") },
 				{ find: "@emdash-cms/admin", replacement: useSource ? adminSourcePath : adminDistPath },
+				// `use-sync-external-store/shim` is a React <18 polyfill that ships
+				// only as CJS. It's pulled in transitively by `@tiptap/react`. With
+				// pnpm's virtual store the file lives under .pnpm/, where Vite's
+				// dep scanner can't reach it for pre-bundling — so the browser is
+				// served raw `module.exports` and hydration fails with
+				// `SyntaxError: ... does not provide an export named
+				// 'useSyncExternalStore'`. Redirect both shim entry points to the
+				// main `use-sync-external-store` package, which on React >=18
+				// (our peer-dep floor) delegates to React's built-in hook.
+				{
+					find: "use-sync-external-store/shim/index.js",
+					replacement: "use-sync-external-store",
+				},
+				{ find: "use-sync-external-store/shim", replacement: "use-sync-external-store" },
 			],
 		},
 		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- Monorepo has both vite 6 (docs) and vite 7 (core). tsgo resolves correctly.
@@ -316,7 +347,7 @@ export function createViteConfig(
 			// In dev mode with source alias, compile Lingui macros on the fly
 			// and redirect locale .mjs imports to dist/.
 			// In production, macros are pre-compiled by tsdown in the admin package.
-			...(useSource ? [linguiMacroPlugin(adminSourcePath!, adminDistPath)] : []),
+			...(useSource ? [linguiMacroPlugin(adminSourcePath, adminDistPath)] : []),
 		] as NonNullable<AstroConfig["vite"]>["plugins"],
 		// Handle native modules for SSR.
 		// On Node: external keeps native addons out of the SSR bundle.

package/src/astro/middleware/auth.ts

@@ -17,6 +17,8 @@ import { ulid } from "ulidx";
 // Import auth provider via virtual module (statically bundled)
 // This avoids dynamic import issues in Cloudflare Workers
 import { authenticate as virtualAuthenticate } from "virtual:emdash/auth";
+// @ts-ignore - virtual module
+import virtualConfig from "virtual:emdash/config";
 
 import { checkPublicCsrf } from "../../api/csrf.js";
 import { apiError } from "../../api/error.js";
@@ -111,6 +113,7 @@ const PUBLIC_API_PREFIXES = [
 const PUBLIC_API_EXACT = new Set([
 	"/_emdash/api/auth/passkey/options",
 	"/_emdash/api/auth/passkey/verify",
+	"/_emdash/api/auth/mode",
 	"/_emdash/api/oauth/token",
 	"/_emdash/api/snapshot",
 	// Public site search — read-only. The query layer hardcodes status='published'
@@ -119,6 +122,22 @@ const PUBLIC_API_EXACT = new Set([
 	"/_emdash/api/search",
 ]);
 
+// Build merged public routes at module load from auth provider descriptors.
+// Routes ending with "/" are treated as prefixes; all others are exact matches.
+const { exact: _providerExactRoutes, prefixes: _providerPrefixRoutes } = (() => {
+	const exact = new Set<string>();
+	const prefixes: string[] = [];
+	if (!virtualConfig?.authProviders) return { exact, prefixes };
+	for (const route of virtualConfig.authProviders.flatMap((p) => p.publicRoutes ?? [])) {
+		if (route.endsWith("/")) {
+			prefixes.push(route);
+		} else {
+			exact.add(route);
+		}
+	}
+	return { exact, prefixes };
+})();
+
 /**
  * OAuth protocol endpoints that are CSRF-exempt by design.
  *
@@ -146,6 +165,8 @@ const CSRF_EXEMPT_PUBLIC_ROUTES = new Set([
 function isPublicEmDashRoute(pathname: string): boolean {
 	if (PUBLIC_API_EXACT.has(pathname)) return true;
 	if (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;
+	if (_providerExactRoutes.has(pathname)) return true;
+	if (_providerPrefixRoutes.some((p) => pathname.startsWith(p))) return true;
 	if (import.meta.env.DEV && pathname === "/_emdash/api/typegen") return true;
 	return false;
 }

package/src/astro/middleware.ts

@@ -43,6 +43,7 @@ import {
 } from "../emdash-runtime.js";
 import { setI18nConfig } from "../i18n/config.js";
 import type { Database, Storage } from "../index.js";
+import { createPublicMediaUrlResolver } from "../media/url.js";
 import type { SandboxRunner } from "../plugins/sandbox/types.js";
 import type { ResolvedPlugin } from "../plugins/types.js";
 import { getRequestContext, runWithContext } from "../request-context.js";
@@ -232,6 +233,20 @@ export const onRequest = defineMiddleware(async (context, next) => {
 	const { request, locals, cookies } = context;
 	const url = context.url;
 
+	// Fast path: routes outside /_emdash/ that plugins inject (e.g.,
+	// /.well-known/atproto-client-metadata.json) skip the entire runtime
+	// init + middleware chain. External servers fetch these with tight
+	// timeouts (~1-2s) so they must respond quickly even on cold starts.
+	if (!url.pathname.startsWith("/_emdash") && virtualConfig?.authProviders) {
+		const isPluginFastRoute = virtualConfig.authProviders.some(
+			(p: { routes?: { pattern?: string }[] }) =>
+				p.routes?.some((r: { pattern?: string }) => r.pattern && url.pathname === r.pattern),
+		);
+		if (isPluginFastRoute) {
+			return finalizeResponse(await next());
+		}
+	}
+
 	const queryRecorder = isInstrumentationEnabled()
 		? createRecorder(url.pathname, request.method, request.headers.get("x-perf-phase") ?? "default")
 		: undefined;
@@ -301,10 +316,11 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					try {
 						const runtime = await getRuntime(config, initSubTimings);
 						setupVerified = true;
-						// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- partial object; getPageRuntime() only checks for these two methods
+						// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- partial object; getPageRuntime() only checks for the page-contribution methods
 						locals.emdash = {
 							collectPageMetadata: runtime.collectPageMetadata.bind(runtime),
 							collectPageFragments: runtime.collectPageFragments.bind(runtime),
+							getPublicMediaUrl: createPublicMediaUrlResolver(runtime.storage),
 						} as EmDashHandlers;
 					} catch {
 						// Non-fatal — EmDashHead will fall back to base SEO contributions
@@ -445,6 +461,7 @@ export const onRequest = defineMiddleware(async (context, next) => {
 					// Direct access (for advanced use cases)
 					storage: runtime.storage,
 					db: runtime.db,
+					getPublicMediaUrl: createPublicMediaUrlResolver(runtime.storage),
 					hooks: runtime.hooks,
 					email: runtime.email,
 					configuredPlugins: runtime.configuredPlugins,

package/src/astro/routes/PluginRegistry.tsx

@@ -10,6 +10,8 @@ import { AdminApp } from "@emdash-cms/admin";
 import type { Messages } from "@lingui/core";
 // @ts-ignore - virtual module generated by integration
 import { pluginAdmins } from "virtual:emdash/admin-registry";
+// @ts-ignore - virtual module generated by integration
+import { authProviders } from "virtual:emdash/auth-providers";
 
 interface AdminWrapperProps {
 	locale: string;
@@ -17,5 +19,12 @@ interface AdminWrapperProps {
 }
 
 export default function AdminWrapper({ locale, messages }: AdminWrapperProps) {
-	return <AdminApp pluginAdmins={pluginAdmins} locale={locale} messages={messages} />;
+	return (
+		<AdminApp
+			pluginAdmins={pluginAdmins}
+			authProviders={authProviders}
+			locale={locale}
+			messages={messages}
+		/>
+	);
 }

package/src/astro/routes/admin.astro

@@ -18,6 +18,9 @@ import { resolveLocale, loadMessages, getLocaleDir } from "@emdash-cms/admin/loc
 const resolvedLocale = resolveLocale(Astro.request);
 const resolvedDir = getLocaleDir(resolvedLocale);
 const messages = await loadMessages(resolvedLocale);
+
+const adminConfig = Astro.locals.emdash?.config?.admin;
+const pageTitle = adminConfig?.siteName ? `${adminConfig.siteName} Admin` : "EmDash Admin";
 ---
 
 <!doctype html>
@@ -26,13 +29,17 @@ const messages = await loadMessages(resolvedLocale);
 		<meta charset="UTF-8" />
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
 		<Font cssVariable="--font-emdash" />
-		<link
-			rel="icon"
-			href="data:image/svg+xml,<svg width='75' height='75' viewBox='0 0 75 75' fill='none' xmlns='http://www.w3.org/2000/svg'> <g clip-path='url(%23clip0_50_99)'> <rect x='3' y='3' width='69' height='69' rx='10.518' stroke='url(%23paint0_linear_50_99)' stroke-width='6'/> <rect x='18' y='34' width='39.3661' height='6.56101' fill='url(%23paint1_linear_50_99)'/> </g> <defs> <linearGradient id='paint0_linear_50_99' x1='-42.9996' y1='124' x2='92.4233' y2='-41.7456' gradientUnits='userSpaceOnUse'> <stop stop-color='%230F006B'/> <stop offset='0.0833333' stop-color='%23281A81'/> <stop offset='0.166667' stop-color='%235D0C83'/> <stop offset='0.25' stop-color='%23911475'/> <stop offset='0.333333' stop-color='%23CE2F55'/> <stop offset='0.416667' stop-color='%23FF6633'/> <stop offset='0.5' stop-color='%23F6821F'/> <stop offset='0.583333' stop-color='%23FBAD41'/> <stop offset='0.666667' stop-color='%23FFCD89'/> <stop offset='0.75' stop-color='%23FFE9CB'/> <stop offset='0.833333' stop-color='%23FFF7EC'/> <stop offset='0.916667' stop-color='%23FFF8EE'/> <stop offset='1' stop-color='white'/> </linearGradient> <linearGradient id='paint1_linear_50_99' x1='91.4992' y1='27.4982' x2='28.1217' y2='54.1775' gradientUnits='userSpaceOnUse'> <stop stop-color='white'/> <stop offset='0.129253' stop-color='%23FFF8EE'/> <stop offset='0.617058' stop-color='%23FBAD41'/> <stop offset='0.848019' stop-color='%23F6821F'/> <stop offset='1' stop-color='%23FF6633'/> </linearGradient> <clipPath id='clip0_50_99'> <rect width='75' height='75' fill='white'/> </clipPath> </defs> </svg>"
-		/>
-		<title>EmDash Admin</title>
+		{adminConfig?.favicon ? (
+			<link rel="icon" href={adminConfig.favicon} />
+		) : (
+			<link
+				rel="icon"
+				href="data:image/svg+xml,<svg width='75' height='75' viewBox='0 0 75 75' fill='none' xmlns='http://www.w3.org/2000/svg'> <g clip-path='url(%23clip0_50_99)'> <rect x='3' y='3' width='69' height='69' rx='10.518' stroke='url(%23paint0_linear_50_99)' stroke-width='6'/> <rect x='18' y='34' width='39.3661' height='6.56101' fill='url(%23paint1_linear_50_99)'/> </g> <defs> <linearGradient id='paint0_linear_50_99' x1='-42.9996' y1='124' x2='92.4233' y2='-41.7456' gradientUnits='userSpaceOnUse'> <stop stop-color='%230F006B'/> <stop offset='0.0833333' stop-color='%23281A81'/> <stop offset='0.166667' stop-color='%235D0C83'/> <stop offset='0.25' stop-color='%23911475'/> <stop offset='0.333333' stop-color='%23CE2F55'/> <stop offset='0.416667' stop-color='%23FF6633'/> <stop offset='0.5' stop-color='%23F6821F'/> <stop offset='0.583333' stop-color='%23FBAD41'/> <stop offset='0.666667' stop-color='%23FFCD89'/> <stop offset='0.75' stop-color='%23FFE9CB'/> <stop offset='0.833333' stop-color='%23FFF7EC'/> <stop offset='0.916667' stop-color='%23FFF8EE'/> <stop offset='1' stop-color='white'/> </linearGradient> <linearGradient id='paint1_linear_50_99' x1='91.4992' y1='27.4982' x2='28.1217' y2='54.1775' gradientUnits='userSpaceOnUse'> <stop stop-color='white'/> <stop offset='0.129253' stop-color='%23FFF8EE'/> <stop offset='0.617058' stop-color='%23FBAD41'/> <stop offset='0.848019' stop-color='%23F6821F'/> <stop offset='1' stop-color='%23FF6633'/> </linearGradient> <clipPath id='clip0_50_99'> <rect width='75' height='75' fill='white'/> </clipPath> </defs> </svg>"
+			/>
+		)}
+		<title>{pageTitle}</title>
 	</head>
-	<body>
+	<body class="isolate">
 		<div id="admin-root" class="min-h-screen">
 			<div id="emdash-boot-loader">
 				<style>
@@ -82,7 +89,7 @@ const messages = await loadMessages(resolvedLocale);
 				</style>
 				<div class="loader-inner">
 					<div class="spinner"></div>
-					<p>Loading EmDash...</p>
+					<p>{adminConfig?.siteName ? `Loading ${adminConfig.siteName}...` : "Loading EmDash..."}</p>
 				</div>
 			</div>
 			<AdminWrapper client:only="react" locale={resolvedLocale} messages={messages} />

package/src/astro/routes/api/auth/magic-link/send.ts

@@ -19,6 +19,7 @@ import { isParseError, parseBody } from "#api/parse.js";
 import { magicLinkSendBody } from "#api/schemas.js";
 import { getSiteBaseUrl } from "#api/site-url.js";
 import { checkRateLimit, getClientIp } from "#auth/rate-limit.js";
+import { getTrustedProxyHeaders } from "#auth/trusted-proxy.js";
 import { OptionsRepository } from "#db/repositories/options.js";
 
 export const POST: APIRoute = async ({ request, locals }) => {
@@ -36,7 +37,7 @@ export const POST: APIRoute = async ({ request, locals }) => {
 		if (isParseError(body)) return body;
 
 		// Rate limit: 3 requests per 300 seconds (5 minutes) per IP
-		const ip = getClientIp(request);
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
 		const rateLimit = await checkRateLimit(emdash.db, ip, "magic-link/send", 3, 300);
 		if (!rateLimit.allowed) {
 			// Return success-shaped response to avoid revealing rate limit

package/src/astro/routes/api/auth/mode.ts

@@ -0,0 +1,57 @@
+/**
+ * GET /_emdash/api/auth/mode
+ *
+ * Public endpoint that returns the active authentication mode.
+ * Used by the login page to determine which login UI to render.
+ *
+ * Unlike the full manifest endpoint, this is intentionally public
+ * and returns only the auth mode — no collection schemas, plugin
+ * info, or other internal details.
+ */
+
+import type { APIRoute } from "astro";
+
+import { getAuthMode } from "#auth/mode.js";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ locals }) => {
+	const { emdash } = locals;
+
+	const authMode = getAuthMode(emdash?.config);
+
+	// Only check signup for passkey auth (external providers handle their own)
+	let signupEnabled = false;
+	if (emdash?.db && authMode.type === "passkey") {
+		try {
+			const { sql } = await import("kysely");
+			const result = await sql<{ cnt: unknown }>`
+				SELECT COUNT(*) as cnt FROM allowed_domains WHERE enabled = 1
+			`.execute(emdash.db);
+			signupEnabled = Number(result.rows[0]?.cnt ?? 0) > 0;
+		} catch {
+			// Table may not exist yet
+		}
+	}
+
+	// Collect pluggable auth providers (from authProviders config)
+	const providers = (emdash?.config?.authProviders ?? []).map((p) => ({
+		id: p.id,
+		label: p.label,
+	}));
+
+	return Response.json(
+		{
+			data: {
+				authMode: authMode.type === "external" ? authMode.providerType : "passkey",
+				signupEnabled,
+				providers,
+			},
+		},
+		{
+			headers: {
+				"Cache-Control": "private, no-store",
+			},
+		},
+	);
+};

package/src/astro/routes/api/auth/oauth/[provider]/callback.ts

@@ -18,7 +18,9 @@ import {
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 
 import { getPublicOrigin } from "#api/public-url.js";
+import { finalizeSetup } from "#api/setup-complete.js";
 import { createOAuthStateStore } from "#auth/oauth-state-store.js";
+import { OptionsRepository } from "#db/repositories/options.js";
 
 type ProviderName = "github" | "google";
 
@@ -126,10 +128,22 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 			);
 		}
 
+		const adapter = createKyselyAdapter(emdash.db);
+		const stateStore = createOAuthStateStore(emdash.db);
+
 		const config: OAuthConsumerConfig = {
 			baseUrl: `${getPublicOrigin(url, emdash?.config)}/_emdash`,
 			providers,
 			canSelfSignup: async (email: string) => {
+				// During setup: first user becomes admin.
+				// Check setup_complete flag instead of countUsers() to avoid
+				// a TOCTOU race where concurrent callbacks both see 0 users.
+				const options = new OptionsRepository(emdash.db);
+				const setupComplete = await options.get("emdash:setup_complete");
+				if (setupComplete !== true && setupComplete !== "true") {
+					return { allowed: true, role: Role.ADMIN };
+				}
+
 				// Extract domain from email
 				const domain = email.split("@")[1]?.toLowerCase();
 				if (!domain) {
@@ -168,10 +182,16 @@ export const GET: APIRoute = async ({ params, request, locals, session, redirect
 			},
 		};
 
-		const adapter = createKyselyAdapter(emdash.db);
-		const stateStore = createOAuthStateStore(emdash.db);
-
+		const options = new OptionsRepository(emdash.db);
+		const setupCompleteBefore = await options.get("emdash:setup_complete");
 		const user = await handleOAuthCallback(config, adapter, provider, code, state, stateStore);
+		const isFirstUser = setupCompleteBefore !== true && setupCompleteBefore !== "true";
+
+		// Finalize setup outside the transaction (idempotent, safe if two callbacks race).
+		if (isFirstUser) {
+			await finalizeSetup(emdash.db);
+			console.log(`[oauth] Setup complete: created admin user via ${provider} (${user.email})`);
+		}
 
 		// Create session
 		if (session) {